<!DOCTYPE html>
<html>

<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
	<meta name="theme-color" content="#33474d">
	<title>apache 访问控制 | 失落的乐章</title>
	<link rel="stylesheet" href="/css/style.css" />
	
      <link rel="alternate" href="/atom.xml" title="失落的乐章" type="application/atom+xml">
    
</head>

<body>

	<header class="header">
		<nav class="header__nav">
			
				<a href="/archives" class="header__link">Archive</a>
			
				<a href="/tags" class="header__link">Tags</a>
			
				<a href="/atom.xml" class="header__link">RSS</a>
			
		</nav>
		<h1 class="header__title"><a href="/">失落的乐章</a></h1>
		<h2 class="header__subtitle">技术面前，永远都是学生。</h2>
	</header>

	<main>
		<article>
	
		<h1>apache 访问控制</h1>
	
	<div class="article__infos">
		<span class="article__date">2017-10-12</span><br />
		
		
			<span class="article__tags">
			  	<a class="article__tag-link" href="/tags/Apache/">Apache</a> <a class="article__tag-link" href="/tags/LAMP/">LAMP</a>
			</span>
		
	</div>

	

	
		<h2 id="allow-和-deny-规则"><a href="#allow-和-deny-规则" class="headerlink" title="allow 和 deny 规则"></a>allow 和 deny 规则</h2><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;首先举例：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">Order deny,allow</div><div class="line">deny from all</div><div class="line">allow from 127.0.0.1</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;我们判断的依据是这样的：</p>
<ol>
<li>看 Order 后面的，哪个在前，哪个在后</li>
<li>如果 deny 在前，那么就需要看 deny from 这句，然后看 allow from 这一句</li>
<li>规则是一条一条的匹配的，不管是 deny 在前还是 allow 在前，都是会生效的。比如例子中，先 deny 了所有，然后又 allow 了127.0.0.1，所以 127.0.0.1 是通过的。</li>
</ol>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;例子：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">Order allow,deny</div><div class="line">Deny from all</div><div class="line">Allow from 127.0.0.1</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;这个就会 deny 所有了， 127.0.0.1也会被 deny 。因为顺序是先 allow 然后 deny ，虽然一开始 allow 了127.0.0.1，但是后面又拒绝了它。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">Order allow,deny</div><div class="line">Deny from all</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;上面的规则就表示，全部都不能通</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">Order deny,allow</div><div class="line">Deny from all</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;上面的规则就表示，全部都不能通</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">Order deny,allow</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;只有顺序，没有具体的规则，表示，全部都可以通行（默认的），因为 allow 在最后。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">Order allow,deny</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;这个表示，全部都不能通行（默认的），因为 deny 在最后。</p>
<ol>
<li>做某个目录闲置，只允许内网 ip 访问，这个目录可以是网站根目录，也就是整个站点都要做限制了。</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">[root@lamp ~]<span class="comment"># vim /usr/local/apache2/conf/extra/httpd-vhosts.conf</span></div><div class="line"></div><div class="line"></div><div class="line">&lt;Directory <span class="string">"/data/www、"</span>&gt;</div><div class="line">    AllowOverride None</div><div class="line">    Options None</div><div class="line">    Order deny,allow</div><div class="line">    Deny from all</div><div class="line">    Allow from 127.0.0.1</div><div class="line">&lt;/Directory&gt;</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;说明：只允许 127.0.0.1 访问，其他 ip 全部拒绝。</p>
<ol>
<li>针对请求的 uri 去限制，前面安装的 discuz 论坛，访问后台是 admin.php，那么就可以针对这个 admin.php 做限制。</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">&lt;filesmatch <span class="string">"(.*)admin(.*)"</span>&gt;</div><div class="line">    Order Deny,Allow</div><div class="line">    Deny from all</div><div class="line">    Allow from 127.0.0.1</div><div class="line">&lt;/filesmatch&gt;</div><div class="line">`</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;说明：这里用到了 filesmatch 语法，表示匹配的意思。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;检测是否有错，重启apache 服务</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">[root@lamp ~]<span class="comment"># apachectl -t</span></div><div class="line">Syntax OK</div><div class="line">[root@lamp ~]<span class="comment"># apachectl restart</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;用curl 测试</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div></pre></td><td class="code"><pre><div class="line">[root@lamp ~]<span class="comment"># curl -x192.168.0.99:80 -I www.test.com/admin.php</span></div><div class="line">HTTP/1.1 403 Forbidden</div><div class="line">Date: Thu, 05 Jan 2017 10:37:38 GMT</div><div class="line">Server: Apache/2.2.31 (Unix) PHP/5.6.6</div><div class="line">Content-Type: text/html; charset=iso-8859-1</div><div class="line"> </div><div class="line">[root@lamp ~]<span class="comment"># curl -x127.0.0.1:80 -I www.test.com/admin.php </span></div><div class="line">HTTP/1.1 200 OK</div><div class="line">Date: Thu, 05 Jan 2017 10:37:40 GMT</div><div class="line">Server: Apache/2.2.31 (Unix) PHP/5.6.6</div><div class="line">X-Powered-By: PHP/5.6.6</div><div class="line">Set-Cookie: cbq6_2132_saltkey=W35308HL; expires=Sat, 04-Feb-2017 10:37:40 GMT; Max-Age=2592000; path=/; httponly</div><div class="line">Set-Cookie: cbq6_2132_lastvisit=1483609060; expires=Sat, 04-Feb-2017 10:37:40 GMT; Max-Age=2592000; path=/</div><div class="line">Set-Cookie: cbq6_2132_sid=PUbGdd; expires=Fri, 06-Jan-2017 10:37:40 GMT; Max-Age=86400; path=/</div><div class="line">Set-Cookie: cbq6_2132_lastact=1483612660%09admin.php%09; expires=Fri, 06-Jan-2017 10:37:40 GMT; Max-Age=86400; path=/</div><div class="line">Cache-Control: max-age=0</div><div class="line">Expires: Thu, 05 Jan 2017 10:37:40 GMT</div><div class="line">Content-Type: text/html; charset=gbk</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;本机 ip 192.168.0.99 被拒绝，而 127.0.0.1 可以访问。</p>
<h2 id="Apache设置禁止访问-txt文件"><a href="#Apache设置禁止访问-txt文件" class="headerlink" title="Apache设置禁止访问.txt文件"></a>Apache设置禁止访问.txt文件</h2><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;做了目录禁止浏览后，目录下面的txt文件还是可以显示里面的内容的。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;解决办法：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">Options -Indexes   FollowSymLinks</div><div class="line">  AllowOverride All</div><div class="line">  Order allow,deny</div><div class="line">  Deny from all</div></pre></td></tr></table></figure>
<h2 id="apache-禁止trace或track防止xss攻击"><a href="#apache-禁止trace或track防止xss攻击" class="headerlink" title="apache 禁止trace或track防止xss攻击"></a>apache 禁止trace或track防止xss攻击</h2><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;TRACE和TRACK是用来调试web服务器连接的HTTP方式。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;支持该方式的服务器存在跨站脚本漏洞，通常在描述各种浏览器缺陷的时候，把”Cross-Site-Tracing”简称为XST。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;攻击者可以利用此漏洞欺骗合法用户并得到他们的私人信息。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;禁用trace可以使用rewrite功能来实现</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">&lt;IfModule mod_rewrite.c&gt;</div><div class="line">  RewriteEngine On</div><div class="line">  RewriteCondi %&#123;REQUEST_METHOD&#125; ^TRACE</div><div class="line">  RewriteRule .* - [F]</div><div class="line">&lt;/IfModule&gt;</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;或者还可以直接在apache的配置文件中配置相应参数</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">TraceEnable off</div></pre></td></tr></table></figure>
	

	
		<span class="different-posts"><a href="/2017/10/12/Apache/42. apache 访问控制/" onclick="window.history.go(-1); return false;">⬅️ Go back </a></span>

	

</article>

	</main>

	<footer class="footer">
	<div class="footer-content">
		
	      <div class="footer__element">
	<p>Hi there, <br />welcome to my Blog glad you found it. Have a look around, will you?</p>
</div>

	    
	      <div class="footer__element">
	<h5>Check out</h5>
	<ul class="footer-links">
		<li class="footer-links__link"><a href="/archives">Archive</a></li>
		
		  <li class="footer-links__link"><a href="/atom.xml">RSS</a></li>
	    
		<li class="footer-links__link"><a href="/about">about page</a></li>
		<li class="footer-links__link"><a href="/tags">Tags</a></li>
		<li class="footer-links__link"><a href="/categories">Categories</a></li>
	</ul>
</div>

	    

		<div class="footer-credit">
			<span>© 2017 失落的乐章 | Powered by <a href="https://hexo.io/">Hexo</a> | Theme <a href="https://github.com/HoverBaum/meilidu-hexo">MeiliDu</a></span>
		</div>

	</div>


</footer>



</body>

</html>
